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SPECIFICATION 
TO ALL WHOM IT MAY CONCERN: 

Be it known that Ashwin Palekar, citizen of Canada, and Bernard D. Aboba, Michael 
Guittet, Todd L. Paul, David L. Eitelbach, and Stephen E. Bensley, citizens of the United 
States, andNarendra C. Gidwani, citizen of India, and residents respectively of Redmond, WA, 
Bellevue, WA, Redmond, WA, Snohomish, WA, Seattle, WA, Bellevue, WA and Kirkland, 
WA have invented a certain new and useful METHOD OF ENFORCING A POLICY ON A 
COMPUTER NETWORK of which the following is a specification. 

PATCOVER (Rev. 9/4/1998) 



METHOD OF ENFORCING A POLICY ON A COMPUTER NETWORK 

TECHNICAL FIELD 

The invention relates generally to computer network administration and, more 
particularly, to a method of enforcing a policy on a computer network. 

BACKGROUND OF THE INVENTION 

With the growing popularity of computer networking and the growth of large 
computer networks, it is becoming increasingly necessary for network administrators 
to establish and implement network policies. Policies are needed to address a variety 
of issues, including security, load balancing and bandwidth allocation. Many policies 
are directed to different types of users. For example, a corporation may have a policy 
that restricts outside contractors to certain resources on the network, while allowing 
unrestricted access by employees. An Internet service provider (ISP) may also have 
policies, such as to allow for different levels of service for different customers. 

There are many products that allow the implementation of network policies on 
a user-by-user basis. One example is the MICROSOFT WINDOWS NT v 4.0 brand 
operating system, which has a feature known as the RAS - REMOTE ACCESS 
SERVICE, which allows the implementation of policies that regulate remote access 
on a per-user basis. But enforcing network policies in such an ad hoc manner puts a 
tremendous burden on network administrators, since it requires them to get involved 
each time a user's account is established in order to apply the policy to that user. 



Thus, it can be seen that there is a need for a method of enforcing network policies 
that reduces the amount of involvement required by network administrators. 

SUMMARY OF THE INVENTION 

In accordance with this need, a method of enforcing a policy on a computer 
network is provided. The method is generally embodied in a policy server program 
that, in response to a user's attempt to access a network from a computer, evaluates 
one or more policy statements. Each policy statement expresses an implementation of 
a policy of the network, and is preferably expressed using the format 

If <condition(s)> then Profile 
The condition or conditions of a policy statement may include, but are not limited to: 
the group or groups to which a user belongs, the type of communication medium 
being over which the user is accessing the network, and, in the case of dial-up 
networking, the location into which the user is calling. The conditions may also be 
easily modified and combined using standard logical operators, such as AND, OR and 
NOT. 

If a policy statement is evaluated to be true, a profile associated with the 
policy statement is applied to the user. A profile contains one or more actions that are 
to be taken with respect to the user. Actions include authorization parameters for 
determining whether a user is authorized access to a resource on the network, and 
communication parameters that are usable to configure a data path between the user's 
computer and the network. Multiple actions within a profile may be ordered in a 
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hierarchy so that they are performed in a particular order. Groups of policy 
statements may also be ordered into hierarchies. 

The ability to implement policies on a group basis relieves network 
administrators of the burden associated with previous systems. To enforce a policy 
5 on a group basis, the policy server program responds to a user log in attempt by 
determining the identity of the group or groups to which the user belongs. This is 
accomplished by referencing one or more group attributes contained in a user object 
located in a directory on the network. The user object and its group attributes are 
created when the user is added to the directory, while a policy statement for a group 
% 10 can be created at any time. This functional separation of placing a user in a group 

iJ 

|i from creating a group policy minimizes the amount of involvement required by 

S network administrators, as they will only be required to establish actions for each 

y group, rather than for each user individually. The addition of an individual user to a 

rjj group can be performed by a person with little or no networking expertise, and the 

?! 15 actions established for the user's group or groups will automatically be applied. The 
fl method also allows actions to be overridden on a per user basis, if desired. 

Additional features and advantages of the invention will be made apparent 

from the following detailed description of illustrative embodiments which proceeds 

with reference to the accompanying figures. 

20 

BRIEF DESCRIPTION OF THE DRAWINGS 



Figure 1 is a block diagram illustrating an exemplary computer on which the 
present invention can reside; 



Fig. 2 is a block diagram illustrating an embodiment of the invention as 
implemented on an exemplary computer network; 

Fig. 3 a shows an exemplary set of policy statements and corresponding 
profiles in accordance with the present invention; 

Fig. 3b shows another exemplary set of policy statements and corresponding 
profiles in accordance with the present invention; 

Fig. 4 is a flowchart generally depicting the procedure for responding to an 
attempt by a user to access a network in which the invention is implemented; 

Fig. 5 is a flowchart generally depicting the procedure for adding a user to the 
directory in accordance with the present invention; and 

Fig. 6 is a flowchart generally depicting the procedure for creating a policy 
statement and a profile in accordance with the present invention. 
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DETAILED DESCRIPTION OF THE INVENTION 

Turning to the drawings, wherein like reference numerals refer to like 
elements, the invention is illustrated as being implemented in a suitable computing 
environment. Although not required, the invention will be described in the general 
5 context of computer-executable instructions, such as programs, being executed by a 
computer. Generally, programs include routines, other programs, objects, 
components, data structures, dynamic-linked libraries (DLLs), executable code, etc. 
that perform particular tasks or implement particular abstract data types. Moreover, 
those skilled in the art will appreciate that the invention may be practiced with other 

10 computer system configurations, including hand-held devices, multi-processor 

systems, microprocessor based or programmable consumer electronics, network PCs, 
minicomputers, mainframe computers, and the like. The invention may also be 
practiced in distributed computing environments where tasks are performed by remote 
processing devices that are linked through a communications network. In a 

15 distributed computing environment, parts of a program may be located in both local 
and remote memory storage devices. 

With reference to Figs. 1 and 2, an exemplary system for implementing the 
invention is shown. As best shown in Fig.l, the system includes a general purpose 
computing device in the form of a conventional computer 20, including a processing 

20 unit 21, a system memory 22, and a system bus 23 that couples various system 

components including the system memory to the processing unit 21 . The system bus 
23 may be any of several tjrpes of bus structures including a memory bus or memory 
controller, a peripheral bus, and a local bus using any of a variety of bus architectures. 



The system memory may include read only memory (ROM) 24 and random access 
memory (RAM) 25. A basic input/output system (BIOS) 26, containing the basic 
routines that help to transfer information between elements within the computer 20, 
such as during start-up, may be stored in the ROM 24. The computer 20 may further 

5 include a hard disk drive 27 for reading from and writing to a hard disk 60, a 

magnetic disk drive 28 for reading from or writing to a removable magnetic disk 29, 
and an optical disk drive 30 for reading from or writing to a removable optical disk 3 1 
such as a CD ROM or other optical media. 

If included in the computer 20, the hard disk drive 27, magnetic disk drive 28, 

10 and optical disk drive 30 may be connected to the system bus 23 by a hard disk drive 
interface 32, a magnetic disk drive interface 33, and an optical disk drive interface 34, 
respectively. The drives and their associated computer-readable media provide 
nonvolatile storage of computer readable instructions, data structures, programs and 
other data for the computer 20. Although the exemplary environment described 

15 herein employs a hard disk 60, a removable magnetic disk 29, and a removable 
optical disk 3 1 , it will be appreciated by those skilled in the art that other types of 
computer readable media which can store data that is accessible by a computer, such 
as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, 
random access memories, read only memories, and the like may also be used in the 

20 exemplary operating environment. 

A number of programs may be stored on the hard disk 60, magnetic disk 29, 
optical disk 31, ROM 24 or RAM 25, including an operating system 35, one or more 
applications programs 36, other programs 37, and program data 38. A user may enter 



commands and information into the computer 20 through input devices such as a 
keyboard 40, which is typically connected to the computer 20 via a keyboard 
controller 62, and a pointing device, such as a mouse 42. Other input devices (not 
shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the 

5 like. Input devices as well as peripheral devices may be connected to the processing 
unit 21 through a serial port interface 46 that is coupled to the system bus, a parallel 
port, game port, universal serial bus (USB), 1394 bus, or other interfaces. A monitor 
47 or other type of display device is also connected to the system bus 23 via an 
interface, such as a video adapter 48. In addition to the monitor, computers typically 

10 include other devices not shown, such as speakers and printers. 

The computer 20 may operate in a networked environment using logical 
connections to one or more devices within a network 63, including another personal 
computer, a server, a router, a network PC, a peer device or other common network 
node. These devices typically include many or all of the elements described above 

15 relative to the computer 20. The logical connections depicted in Figs. 1 and 2 
include one or more network links 51, for which there are many possible 
implementations, including a local area network (LAN) link and a wide area network 
(WAN) link. Such networking links are commonplace in offices, enterprise-wide 
computer networks, intranets and the Internet. It will be appreciated that the network 

20 connections shown are exemplary and other means of establishing a data path 

between the computers may be used. When used in a LAN, the computer 20 may be 
connected to the network 63 through a network interface or adapter 53. When used in 
a WAN, the computer 20 typically includes a modem 54 or other means for 
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establishing communications over the network link 51, as shown by the dashed line in 
Fig. 1. The network link 51 may also be created via conventional dial-up networking, 
the Internet, Digital Subscriber Line (DSL), Asynchronous Transfer Mode (ATM), 
Virtual Private Network (VPN) or any other conventional communication medium. 
5 The modem 54 may be connected to the system bus 23 via the serial port interface 46, 
and may be external or internal. In a networked environment, programs depicted 
relative to the computer 20, or portions thereof, may be stored on other devices within 
the network 63. 

As best shown in Fig. 2, the network 63 includes a network access server 
10 (NAS) 66 that acts as a gateway for a computer 20 by creating a data path between 
the network 63 and the computer 20. The computer 20 communicates with the NAS 
66 via a network link 51. It is understood that the physical separation between the 
computer 20 and the network 63 may range from very small to very great. The 
computer network 63 also includes a directory server 67 and a policy server 68 whose 
15 functions will be described below in further detail. The functions of the policy server 
68, NAS 66, and the directory server 67 do not have to be performed by separate 
computers, and, in fact, some or all of the functions may be performed by a single 
computer. These functions are shown as being performed by different computers 
only for the sake of clarity. The architecture of the directory server 67, and policy 
20 server 68 includes many or all of the elements shown in Fig. 1 with respect to the 
computer 20. 

In the description that follows, the invention will be described with reference 
to acts and symbolic representations of operations that are performed by one or more 
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computers, unless indicated otherwise. As such, it will be understood that such acts 
and operations, which are at times referred to as being computer-executed, include the 
manipulation by the processing unit of the computer of electrical signals representing 
data in a structured form. T his manipulation transforms the data or maintains it at 

5 locations in the memory system of the computer, which reconfigures or otherwise 
alters the operation of the computer in a manner well understood by those skilled in 
the art. The data structures where data is maintained are physical locations of the 
memory that have particular properties defined by the format of the data. However, 
while the invention is being described in the foregoing context, it is not meant to be 

10 limiting as those of skill in the art will appreciate that various of the acts and 
operation described hereinafter may also be implemented in hardware. 

Referring to Fig. 2, the invention is generally realized as a policy server 
program 70 which executes on the policy server 68 which in turn is linked for 
communication with the network access server (NAS) 66 over a network link 5 1 . The 

15 NAS 66 provides the computer 20 with an access point to the network 63. After 
access is granted to the computer 20, the NAS 66 creates a data path between the 
computer 20 and the computer network 63. The policy server 68 then provides the 
NAS 66 with a profile 76 containing one or more actions for the NAS 66 to perform. 
Types of actions include, but are not limited to, authorization parameters, which the 

20 NAS 66 uses to determine whether to grant or deny access to network resources, as 
well as communication parameters which the NAS 66 uses to configure the data path. 
More specifically, the NAS 66 uses the communication parameters to control the 
characteristics of the data path, such as the bandwidth, speed, IP address, media, 
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protocols used, and the like, in order to enforce the policies of the network. In order 
to obtain the appropriate set of actions, the policy server program 70 references one or 
more policy statements 74. Each policy statement 74 expresses an implementation of 
one or more policies for the network 63. In a preferred embodiment, a policy 
5 statement has the format 

If <condition(s)> then Profile 
If the conditions are satisfied, the policy server program 70 transmits the profile 76 
associated with the policy statement to the NAS 66. 

The computer network 63 also includes one or more instances of a directory 

10 78 which is depicted in Fig. 2 as being stored on a directory server 67. In a preferred 
embodiment, the directory 78 is the "ACTIVE DIRECTORY" of the "MICROSOFT 
WINDOWS NT" or the "MICROSOFT WINDOWS 2000" brand operating systems. 
The directory 78 contains a set of user objects 80. Each user object 80 is a data 
structure that is associated with a recognized user of the network 63 and contains user 

15 attributes (or pointers thereto) that describe one or more characteristics of the user. 
The user attributes include one or more group attributes, which indicate the identity of 
the group or groups to which the user belongs. A "group" is a way of organizing 
users on a network and it is up to the discretion of the organization controlling the 
network 63 to determine how the groups are delineated. For example, employees in a 

20 corporation may be organized into groups according to their occupations, such as 
"secretary," "engineer," or "accountant." An ISP might organize users into groups 
according to their monthly pricing plans, such as "Flat_rate" or "hourly." Organizing 
users into groups is a well lenown technique in the "MICROSOFT WINDOWS 2000" 
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brand operating system environment. The policy server program 70 references the 
user object to determine the group or groups to which users belong and, consequently, 
apply to the users. The user object 80 may also include the username and password 
of the user as well as an override attribute whose function will be described in further 
5 detail below. 

Referring to Fig. 3a 5 an example of a set of policy statements 302-306 and 
corresponding profiles 312-316 that might be used in a corporation's internal network 
is shown. The conditions required for evaluating these policy statementsinclude the 
group or groups to which a user belongs. For example, if a user belongs to the group 

10 "contractor," then the policy statement 302 will be evaluated as "true " and therefore 
apply to that user. Standard logical operators, such as AND, NOT and OR may also 
be used to create multiple conditions, as in the case of the policy statement 304, 
which combines the conditions "group" and "mediajype." Each of the profiles 312- 
316 includes one or more actions. In the illustrated embodiment, the actions are 

15 implemented as authorization parameters that the NAS 66 uses to grant or deny 

access to resources on the network, and communication parameters that the NAS 66 
uses to configure the data path between the computer 20 and the network 63. The 
actions illustrated in Fig. 3 a include communication parameters such as 
"encryption_level" - how data travelling over the data path will be encrypted; 

20 "IP_address_assigned" - what IP address will be assigned to the user by the NAS 66; 
and authentication Jype - what type of authentication will be used. The actions 
illustrated in Fig. 3a also include authorization parameters which must be logically 
"true" before access to one or more network resources is permitted. These include 



12 

"Time_of_day" - what time of day access is permitted; "Day_of_week" - on what 
days of the week access is permitted; "caller_ID" - from what phone number 
(detected using caller ID) the user is permitted to call in order to use the remote 
access resources of the network; "IP_filter" - what servers the user is allowed to 

5 access; and "called_phone_ number," - to control access to the long distance resources 
of the network by restricting the area codes the user may call using, for example, 
Internet telephony. Other contemplated actions that are not shown in Fig. 3 a include 
a callback parameter that indicates whether the NAS 66 is supposed to call a user 
back, and a callback number to indicate which number to use when calling the user 

10 back. Many other actions are possible, however. 

One or more of the actions in a profile may be overridden using an override 
attribute contained in the user object of the user attempting to access the network. 
Such an override capability can be especially useful when the parameter being 
overridden is one for which user-to-user variation is expected. To override an action, 

15 the policy server program 70 adds the corresponding override attribute to the profile 
and deleting the action. For example, the action 318 of the profile 316 (Fig. 3a) is 
"callerJD," which indicates to the NAS 66 the phone number from which the user is 
authorized to log in. This may initially be set up using a dummy phone number. If it 
is anticipated that a user will wish to have dial up access from home the user's object 

20 80 (Fig. 2) may contain an override attribute 320 (Fig. 3a) having the user's home 
phone number. The policy server program 70 will replace the action 318 with the 
override attribute 320 prior to transmitting the profile 3 16 to the NAS 66. The phone 
number in the override attribute could be set by a human resources (HR) 
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administrator when adding the new user to the network, as will be described below. 
Other examples of actions for which overriding may be useful include callback 
actions that indicate whether or not to call back a user and what number to use when 
calling back. Additionally, an override attribute may simply be added to a profile in 

5 cases where no corresponding action existed. 

The policy server program 70 may also evaluate policies based on criteria 
other than groups. Referring to Fig. 3a, the policy statement 304 is evaluated based 
on the media type over which the user is attempting to access the network as well as 
the user's group. In Fig. 3 si, the policy statements are arranged in a hierarchy, so that 

10 if the user belongs to the group "research," and the user is attempting to access the 
network 63 over a VPN, the policy statement 304 will be applied to the user, and the 
policy server program 70 will send the profile 3 14 to the NAS 66. The action 322 
contained in the profile 314 will insure that the NAS 66 configures the data path 
between the computer 20 and the network 63 with a high level of encryption. This 

15 may be desirable when using a VPN, since VPN transmissions are generally sent via 
the Internet. If the user belongs to the group "research" and is not using a VPN, the 
policy statement 306 will be applied to the user, and the policy server program 70 will 
transmit the profile 3 16 to the NAS 66, thereby allowing the data path to be 
configured with a lower level of encryption. 

20 The syntax used by the policy server program 70 is flexible enough to allow 

certain parameters to be used either as actions within a profile, or as conditions within 
a policy statement. For example, in the profile 312 of Fig. 3a, the action 
"Time_of_day = = 0900.1700" is an authorization parameter that tells the NAS 66 to 
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determine whether the time of the user's login falls between 0900 and 1700, and if it 
does not, the NAS 66 is to deny access to the network. This authorization parameter 
may also be used as a condition for a policy statement as well. For example, "If 
<group= = contractor AND <Time_of_day = = 0900.1700> then Profile " is a policy 

5 statement that could tell the policy server program 70 to apply "Profile" if the user 
belongs to the group "contractor" and the login time is between 0900 and 1700. 
"Day_of_week" is similarly usable as either an action or a condition. 

Internet Service Providers (ISPs) may also use the policy server program 70 
for enforcing network policies with respect to different levels of service. Referring to 

10 Fig. 3b ? exemplary policy statements 350-352 and corresponding profiles 356-358 are 
shown. In this example, the policy statements 350-352 correspond to the two 
different levels of service, which are called "basic_access" and "ISDN" having 
different pricing schemes. As shown, the actions contained in the profiles 356-358 
include the communication parameter "QoS" - which the policy server uses to 

15 determine the quality of service (QoS) of the network connection; and the 

authorization parameters "media type" - reflecting the type of communications 
medium the user will be permitted to use in order to access the network, and 
"multijink" indicating the number of maximum number of links the user will be 
permitted. 

20 While not shown in Fig. 3b, the profiles 356-358 may also include an 

authorization parameter "number called" - which the NAS 66 could use to determine 
whether the user is accessing the ISP network through the appropriate gateway. The 
"number_called" may be useful to restrict the geographical areas to which the user's 
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service extends. For example, a user under the "basic_access" plan might only be 
allowed to access the ISP network using a gateway located in Seattle, in which case 
the field would contain a dial-up number for a NAS in Seattle. Alternatively, the 
"number_called" could be used as a condition in one of the policy statements of Fig. 

5 3b. This would allow an ISP to give the user a profile based not only on the user's 
group but also based on the NAS being used for dial up. 

In order to process an attempt to access the network 63 from the computer 20 
(Fig. 2), the procedure of the flowchart of Fig. 4 is followed. At step 400, the user at 
the computer 20 creates a link with the NAS 66 via telephone, cellular phone, 

10 internet, VPN, or other means and transmits a username and password to the NAS 66. 
The NAS 66 then conventionally evaluates the link between the computer 20 and the 
NAS 66 by determining characteristics thereof, such as the communications medium 
being used, which protocols are being implemented and the phone number from 
which the computer 20 is calling (in the case of dial-up access) at step 402. The 

15 NAS 66 then notifies the policy server 68 of the login attempt at step 404. In a 

preferred embodiment, this notification involves relaying the username and password 
received from the computer 20 as well as the detected link characteristics to the policy 
server 68. The policy server program 70 then attempts to retrieve the user object 80 
corresponding to the user from the directory 78 on the directory server 67 at step 406. 

20 If the object is found, the policy server program 70 references the object to determine 
the username, password, and the identity of any groups to which the user belongs. If 
there is no object corresponding to that user, or if username/password combination 
submitted by the user is not correct, then the policy server program 70 transmits a 
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denial message to the NAS 66 at step 410. The NAS 66 then denies the computer 20 
access to the network at step 412. Additionally, the policy server program 70 may 
also determine whether the user should be admitted or denied access to the network 
63 based on a group or groups to which the user belongs. For example, a blanket 

5 denial may be in effect for certain groups at certain times of day. 

If the username and password are valid for the retrieved user object 80, the 
policy server program 70 then proceeds to steps 414-424, in which it evaluates the 
policy statements 74 based on a group to which the user belongs, and, if necessary, 
based on other policy conditions. The policy server program 70 may also use the 

10 characteristics of the link between the computer 20 and the NAS 66 which were 
received from the NAS 66 at step 404 to evaluate the policy statements 74. In a 
preferred embodiment, the policy statements 74 are evaluated in hierarchical order 
according to steps 414 through 418. Once the policy server program 70 finds a policy 
statement that applies to the user, the policy server program selects the profile 76 that 

15 corresponds to that policy statement at step 420. The policy server program 70 then 
modifies the selected profile by replacing one or more of the parameters contained in 
the profile with a corresponding override attribute (if there are any) at step 422. At 
step 424, the policy server program 70 transmits the profile to the NAS 66. The NAS 
66 responds by granting or denying access to one or more network resources based on 

20 the authorization parameters and configuring the data path between the computer 20 
and the network 63 as specified by the communication parameters of the selected 
profile 76. 
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To cause the directory 78 to recognize a new user of the network 63 , a utility 
program 84 (Fig. 2) may be executed at one of the servers of the network 63, such as 
the directory server 67, and perform the procedure of the flowchart of Fig. 5. At step 
502, the utility program 84 presents a user-interface (UI) having a series of fields to 

5 be filled out by the individual The fields may include characteristics of the new user, 
such as the new user's name, home telephone number, and the group or groups under 
which the new user will be categorized. At step 504, the setup program receives the 
field entries and creates a user object 80 for the new user in the directory 78. The 
group attribute of parameters for the created user object will correspond to the group 

10 or groups under which the new user is categorized. As described above, the group 
attribute or attributes are usable by the policy server program 70 to determine which 
profile to send to the NAS 66. In one embodiment of the utility program 84, the 
individual executing the utility program 84 is given the option to specify override 
attributes that are to be applied to the new user at step 506. 

15 To add a new employee to a hypothetical corporate network, for example, a 

human resources (HR) administrator launches the setup program 84 at the directory 
server 67. If the new person is an outside contractor working for the research group, 
the HR administrator enters "research" and "contractor" in the "groups" field at step 
502. The utility program 84 then creates an object 80 for that person in the directory 

20 78. The new user object 80 now has the group attributes of "research" and 

"contractor." After the user attempts to access the network 63 via the NAS 66, the 
policy server program 70 (step 400 of Fig. 4), the policy server program 70 retrieves 
the user's object 80 and determines that the user belongs to the groups "research" and 
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"contractor" (step 406). Assuming that the policy statements and profiles of Fig. 3 a 
apply, the policy server program 70 then searches the policy statements 302-306 
(steps 414-418). Since the policy statement 302 is the first for which the conditions 
are met, the policy server program applies the policy statement 302 to the user. The 

5 policy server program 70 retrieves the profile 312 and transmits it to the NAS 66. 
The NAS 66 then grants the user access only to resources allowed by the filter 
settings of the action 324. Note that even though the user is also a member of the 
group "research," the policy 302 takes precedence over the policy 306. 

Referring to Fig. 6, an embodiment of a procedure that may be carried out by a 

10 setup program 82 (Fig. 2) to create policy statements and profiles on the policy server 
68 is shown. At step 600, the individual responsible for enabling the network's 
access policy, who will be referred to as a network administrator in this example, 
launches the setup program 82 at the policy server 68. Through a user interface, the 
setup program 82 presents the network administrator a list of criteria on which a 

15 policy statement may be based at step 602. To create a group-based policy, the 
network administrator chooses the criteria "group." The setup program 82 then 
obtains a list of groups from the directory 78 and presents the list to the network 
administrator. At step 604, the network administrator selects a group and the logical 
operators from which to create the conditions for a policy statement. The network 

20 administrator then has the option of creating compound conditions with other groups 
and with non-group criteria.. For example, the network administrator may wish to 
have the conditions such as: 
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If <(group = = employee) AND (group < > legal)> then <profile> 
If <(group = = premium) OR (mediajype = = ISDN)> then <profile> 



At step 606, the network administrator is prompted to either associate an existing 

5 profile with the policy statement or to create a new profile for the policy statement. If 
the network administrator chooses to use an existing policy statement, then the setup 
program 82 the administrator chooses from a list of available profiles at step 608. At 
step 612, the network administrator is prompted to save the changes and the process 
ends. If the network administrator chose to create a new profile at step 606, the flow 

10 branches to step 610, in which the administrator is prompted to enter the parameters 
desired for the new profile. 

In view of the many possible embodiments to which the principals of this 
invention may be applied, it should be recognized that the embodiment described 
herein with respect to the drawing figures is meant to be illustrative only and should 

15 not be taken as limiting the scope of the invention. For example, those of skill in the 
art will recognize that the elements of the illustrated embodiment shown in software 
may be implemented in har dware and vice versa or that the illustrated embodiment 
can be modified in arrangement and detail without departing from the spirit of the 
invention. Furthermore, it is understood that some of the steps illustrated in 

20 flowcharts may be rearranged in obvious respects without departing from the scope of 
the invention. Therefore, the invention as described herein contemplates all such 
embodiments as may come within the scope of the following claims and equivalents 
thereof. 
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CLAIMS 

We claim: 

1 . A method of enforcing a policy on a computer network comprising the steps 
of: in response to an attempt by a user to access a resource on the network, 

5 determining a group to which the user belongs; and, based on the determined group, 
selecting an authorization parameter, wherein the authorization parameter is usable to 
grant or deny access to the resource in accordance with the policy. 

2. The method of claim 1, wherein the user is attempting to access the resource 
10 over a network link, further comprising the steps of: evaluating the link to determine 

a characteristic of the link; and selecting the authorization parameter based on the 
determined characteristic. 

3. The method of claim 1 , wherein the selecting step further comprises the step of 
15 selecting a profile based on the determined group, wherein the authorization 

parameter is contained in the profile. 

4. The method of claim 1, wherein the determining step further comprises the 
step of referencing a user object corresponding to the user, wherein the user object 

20 has a group attribute representative of the group. 
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5. The method of claim 3, further comprising the steps of: adding an override 
attribute associated with the user to the profile; and determining whether to admit or 
deny access to the resource based on the override attribute. 

5 6. The method of claim 1, wherein the authorization parameter is associated with 
a policy statement, wherein the selecting step further comprises the steps of: 
evaluating the policy statement based on the determined group; and if the policy 
statement is evaluated to be true, selecting the authorization parameter. 

10 7. The method of claim 1 , wherein the authorization parameter represents a time 
of day at which the user is permitted access to the network. 

8. The method of claim 1, wherein the authorization parameter represents a day 
of the week during which the user is permitted access to the network. 

15 

9. The method of claim 1 , wherein the authorization parameter represents a 
phone number that may be called by the user. 

1 0. The method of claim 1 , wherein the authorization parameter represents a 
20 phone number from which the user is permitted to access to the network. 

11. A method of enforcing a policy on a computer network comprising the steps 
of: in response to an attempt by a user to access the network from a computer, 
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determining a group to which the user belongs; and, based on the determined group, 
selecting a communication parameter, wherein the communication parameter is 
usable to configure a data path between the computer and the network in accordance 
with the policy. 

5 

12. The method of claim 1 1, further comprising the steps of: evaluating a link 
over which the computer is communicating to determine a characteristic of the link; 
and selecting the communication parameter based on the determined characteristic. 

10 13. The method of claim 11, wherein the selecting step further comprises the step 
of selecting a profile based on the determined group, wherein the communication 
parameter is contained in the profile. 

14. The method of claim 1 1 , wherein the determining step further comprises the 
15 step of referencing a user object corresponding to the user, wherein the user object 

has a group attribute representative of the group. 

15. The method of claim 13, further comprising the steps of: adding an override 
attribute associated with the user to the profile; and configuring the data path 

20 according to the override attribute. 

16. The method of claim 1 1, wherein the communication parameter is associated 
with a policy statement, wherein the selecting step further comprises the steps of: 
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evaluating the policy statement based on the determined group; and if the policy 
statement is evaluated to be true, selecting the communication parameter. 

1 7. The method of claim 1 1 , wherein the communication parameter represents the 
5 quality of service of the data path. 

18. The method of claim 1 1 , wherein the communication parameter represents a 
media type for the data path. 

10 19. The method of claim 1 , wherein the communication parameter represents an IP 
address for the data path. 

20. The method of claim 1 , wherein the communication parameter represents an 
encryption level for data traveling on the data path. 

15 

21. A computer-readable medium having inscribed thereon a data structure, the 
data structure comprising: a policy statement expressing an implementation of an 
policy for a computer network, the statement conditioned on a group to which a user 
communicating with the network over a data path belongs, wherein the policy 

20 statement is usable by the network to obtain an authorization parameter usable to 
grant or deny access to a resource on the network in accordance with the policy. 
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22. A computer-readable medium having inscribed thereon a data structure, the 
data structure comprising: a policy statement expressing an implementation of an 
policy for a computer network, the statement conditioned on a group to which a user 
communicating with the network over a data path belongs, wherein the policy 

5 statement is usable by the network to set a communication parameter usable to 
configure the data path in accordance with the policy. 

23. A computer network comprising: a network access server for granting or 
denying access to a resource on the network from a computer according to an 
authorization parameter; a policy server linked for communication with the network 
access server, wherein the policy server provides the authorization parameter to the 
network access server based on a group to which the user belongs; and a directory 
server linked for communication with the policy server, the directory server having an 
object corresponding to the user, the object having an associated group attribute, the 
group attribute being usable by the policy server to determine the group to which the 
user belongs. 

24. A computer network comprising: a network access server for configuring a 
data path between a computer and the network according to a communication 

20 parameter, wherein the data path enables a user at the computer to communicate with 
the network; a policy server linked for communication with the network access 
server, wherein the policy server provides the communication parameter to the 
network access server based on a group to which the user belongs; and a directory 
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server linked for communication with the policy server, the directory server having an 
object corresponding to the user, the object having an associated group attribute, the 
group attribute being usable by the policy server to determine the group to which the 
user belongs. 

5 

25. A computer-readable medium having computer-executable instructions for 
performing steps comprising: prompting a user to select a group on which to base a 
policy statement, the statement being representative of a policy for a computer 
network; prompting the user to select an authorization parameter to associate with the 

10 group; and, in response to the selections, creating the policy statement such that the 
group represents a conditio a of the policy statement and the authorization parameter 
represents the fulfillment of the condition, the authorization parameter being usable to 
grant or deny access to a resource on a network by a computer in communication with 
the network in accordance with the policy. 

15 

26. A computer-readable medium having computer-executable instructions for 
performing steps comprising: prompting a user to select a group on which to base a 
policy statement, the statement being representative of a policy for a computer 
network; prompting a user to select a communication parameter to associate with the 

20 group; and, in response to the selections, creating the policy statement such that the 
group represents a condition of the policy statement and the communication 
parameter represents the fulfillment of the condition, the communication parameter 
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being usable to configure a data path between a computer and the network in 
accordance with the policy. 

27. A computer-readable medium having computer-executable instructions for 

5 performing steps comprising: in response to an attempt by a user to access a resource 
on a network, determining a group to which the user belongs; and, based on the 
determined group, selecting an authorization parameter, wherein the authorization 
parameter is usable to grant or deny access to the resource in accordance with a policy 
of the network. 

10 

28. A computer-readable medium having computer-executable instructions for 
performing steps comprising: in response to an attempt by a user to access a network 
from a computer, determining a group to which the user belongs; and, based on the 
determined group, selecting a communication parameter, wherein the communication 

15 parameter is usable to configure a data path between the computer and the network in 
accordance with a policy of the network. 

29. A method of enforcing a policy on a computer network comprising the steps 
of: in response to an attempt by a user to access the network through a 

20 communication medium, determining a group to which the user belongs; determining 
the medium type and, based on the determined group and the medium type, selecting 
an action, wherein the action is usable to grant or deny access to the network in 
accordance with the policy. 



27 



30. A method of enforcing a policy on a computer network comprising the steps 
of: in response to an attempt by a user to access a network over a dial up link using a 
called number, determining a group to which the user belongs; determining the called 

5 number of the dial up link amd, based on the determined group and the number, 

selecting an action, wherein the action is usable to grant or deny access to the network 
in accordance with the policy. 

31. A computer-readable medium having computer-executable instructions for 
10 performing the steps of: in response to an attempt by a user to access a computer 

network through a communication medium, determining a group to which the user 
belongs; determining the medium type and, based on the determined group and the 
medium type, selecting an action, wherein the action is usable to grant or deny access 
to the network in accordance with a policy of the network. 

15 

32. A computer-readable medium having computer-executable instructions for 
performing the steps of: in response to an attempt by a user to access a computer 
network over a dial up link using a called number, determining a group to which the 
user belongs; determining the called number of the dial up link and, based on the 

20 determined group and the number, selecting an action, wherein the action is usable to 
grant or deny access to the network in accordance with a policy of the network. 



AB STRACT OF THE INVENTION 

A policy server program evaluates one or more policy statements based on the 
group or groups to which a user belongs as well as other conditions. Each policy 
statement expresses an implementation of the access policy of the network, and is 
associated with a profile. The profile contains one or more actions that are to be 
applied to the user. The policy server program determines the identity of the group or 
groups to which the user belongs by referencing one or more group attributes 
contained in a user object which is located in a directory on the network. The user 
object and its group parameters are established when the user is added to the 
directory, while a policy statement for a group can be created at any time. 
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If <group==contractor> then <profile_1: 



302 



lf<group==research> and <media_type==VPN> then <profile_2a> 
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lf<group==research> then <profile_2b> 
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<profile_1 > 

encryptionjevel = high; 
IP_address_assigned = 456.78.90.123; 
Time_of_day == 0900.1700; 
Day_of_week == Mon Tue Wed Thu Fri; 
1P_filter = 351.67.23.99; 
called_phone_number == 425. 
authentication_type = secure; 
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<profile_2a> 
-encryptionjevel = high; 
authentication_type = secure; 
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<profile_2b> 
encryptionjevel = low; 
.caller ID ==555-1212; 
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caller ID ==666-1212 



FIG. 3a 
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If <group==basic_access> then <profile_basic_access> 



lf<group==ISDN> then <profile_ISDN: 



<p rofi le_basic_access> 
media_type == dial in; 
QoS = best effort; 
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<profile_ISDN> 

mediajype == dial in AND ISDN; 
QoS = priority 1 1 ; 
multijink == 2; 
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FIG. 3b 
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Select profile 
corresponding to the 
policy statement 






Step 422 
Replace actions in the 
profile with override 
attribute 




r 


Step 424 
Transmit profile to 
NAS 




r 



Start 



Finish 



1 


r 


Step 400 
Create link with NAS 
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Step 402 
NAS evaluates link 
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NAS notifies policy server 
program of login attempt 



Yes 



Step 412 
NAS denies access 
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Step 502 
Prompt for 
characteristics of new 
user 






Step 504 
Create user object 
based on entered 
characteristics 
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Step 506 
Prompt for override 
attributes 
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Step 600 
Launch setup program 
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Step 602 
Present list of criteria 
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Step 604 
Present list of groups 
and prompt for 
selection 
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Step610 
Prompt for entry of 
new parameters 



Step 608 
Prompt for choice of 
existing profile 
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Prompt to save 
changes 
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